A German software company has threatened legal action against a security researcher who privately reported a critical vulnerability in one of its programs, Dark Reading reports.
Legal goons from Magix AG sent a nasty gram to a researcher who goes by “Acidgen” after he reported the stack buffer overflow in the company's Music …

COMMENTS

Page:

....typical

rather than say 'thanks for highlighting how crap our software really is' - they try and filler the cavernous security holes with legal threats - how does that help?? Just get on and fix the crap that has been created and learn from them.

It is more "THANKS" than you think

The continuous release of exploits and zero-days is the biggest factor in forcing users (especially corporates) to do security updates. These nowdays happen over the Internet and allow the software vendor to do license enforcement as well disable pirated copies. Windows black screen of piracy, Panda "buy me or else", etc - you name it.

Making moves against exploits is genuinely stupid from a business perspective. This damages the company bottom line. If it was not for the endless flow of exploits and updates against them pirated copies would have continued to flourish the way they did in the 90-es.

If you read carefully

"He also told the representatives he planned to disclose vulnerability details publicly **once a patch was released.**"

To me, that says he was willing to wait for them to fix the problem before telling people. So he simply wanted the credit for finding the hole, and wasn't making any threat of any kind.

He told the company first before going to the press, offered help to fix the problem he found (yes he would have wanted paying for doing work, what a concept) and either way would keep the problem quiet until it was fixed.

Depends how it was worded...

perhaps something like "Hi, your software has bug bla bla bla, one needs to do bla bla bla to exploit it. After you've released a fix for this bug, please notify me as I intend to publish a report and exploit code. Should you need help with fixing the bug, my company bla bla might be of assistance"

Let me fix that for you:

Interesting how totally making stuff up can make such a difference to new information

From the article: "Acidgen also provided suggestions for fixing the flaw." That would be FOR FREE. You know what, anyone who wants to can freely extort ABSOLUTELY NOTHING from me at any time. It really fits solidly into the "I don't mind" department.

In addition, he didn't make a demand that it be patched in a certain timeframe, he REQUESTED to know when they would release the patch so that he could withhold publishing his research until a fix could be deployed.

It sound an awful lot like he did all the right things. His FIRST concern was protecting the users of this software, his own ego was a close second. Even after it, apparently, has been patched, he still only disclosed the vulnerability, not the PoC code, WHICH HE APPARENTLY WROTE AT THEIR REQUEST.

He said, she said

One side says extortion, the other side says;

"He also told the representatives he planned to disclose vulnerability details publicly once a patch was released."

Granted we'll never know what was really said without the original unadulterated emails but even slightly ambiguous language can be taken either way. Add in a dash of meaning lost in translation and you've got suit guns at 20 paces.

File an injunction against Magix

So when is Acidgen going to file an injunction against Magix forcing them to recall all software sold since his private disclosure and stopping all further sale of the software until the vulnerability has been proved fixed? BTW I'm no lawyer, but then again that's probably already clear.

my company web site...

...Once got owned by a group of defacer types. It was pretty much a boilerplate hack. No damage to the actual site, just a new index page. The deface page linked to their IRC server, so I went in, introduced myself, and politely asked what the vuln was and how I could fix it. I figured that if I got nailed so easily I must have done something dumb; no point in getting in a huff.

They were quite helpful - one of them sent a message to the guy who did the hack to join - and told me what was up. Turns out there was a problem with phpbb, and my isp hadn't updated mine. I asked them what I needed to do, and the hacker said, "nothing - I fixed it after I got in". And he had.

It makes no sense at all that people respond like this - all you do is piss off someone who's already proven they have the ability to hurt you. It's a bit like the saying about trying to beat up an elephant bare-handed - you get tired and the elephant gets pissed off.

"criminalizes the creation or possession of dual-use security tools."

all illegal in Germany

I believe this point was made at the time, but the lawyers were too stupid to understand.

Fortunately, I'm sure there are now plenty of people outside Germany now applying such tools to this company's software, and plenty of clued up Germans now looking for alternatives to a piece of software that, even if not already exploited, probably only has a week or so to go before it becomes an unacceptable liability on any sane person's system.

If you read the article.....

It does not say there was a deadline on him releasing the information.

I agree that setting a deadline on the release of the information, and offering to fix it for a fee could be considered extortion.

However, by the information presented herein, I would assume that there was no deadline. So the info would only have been released after they had patched it, whenever that was, if ever. So, no extortion, just a possible business deal to expedite their release of a patch.

I seem to be alone

I see the company would benefit from his initial advice, but I can share their concern about subsequent publication. How would they know all users had patched?

What value does the wider community get from knowing the entrails, rather than the existence, of this vulnerability? OK, if it is novel then some anonymous details might help other programmers, but otherwise I reckon blurting the works is no more than self agrandisment.

Even though I am very doubtful about the publication idea, If it were me a polite request to defer and a bottle of champers would be infinitely better than raising the landsharks. That does smack of management-by-panic.

Put yourself in the shoes of the researcher.

You've just done a lot of work to work out how to exploit a vulnerability and suggested ways to patch it. You've emailed the company with the info and, being a good boy, have been waiting for them to fix it. No money changed hands. Is it to much to ask to be able to publish details of the vulnerability? If/when this guy is looking for another job in security, a portfolio of discovered and published bugs will help him, just like it helps an artist to have some works of his to hand. It's also, undeniably, an ego gratification. So what?

Also, you need to be aware that whenever a vendor releases a patch, vulnerability details are already public - it's easy to automatically extract the differences between two file versions and then work out the details of what was wrong - and it is a commonly happening for windows patches, so people who don't patch are already at disadvantage and publication by the discoverer doesn't change a thing.

"otherwise I reckon blurting the works is no more than self agrandisment."

non-reinvention of the failed wheel

"OK, if it is novel then some anonymous details might help other programmers"

And no one can know that unless they release the details. You cannot just look at a vulnerability and instantly tell if it is a one-off or may be a hidden booby-trap in other programs - if nothing else, the fact the Germans didn't see this pre-release says it isn't glaringly obvious, yet we know it is not up to snuff. Someone has to make it known publicly, and then people can determine if their software has a similar bug or not.

The techniques...

...used to find the exploit can likely be used by others to spot similar exploits in other software. Publishing them gives the actual code-creators a chance to do the checking for themselves, rather than just the crackers who stumble across the same technique and share it just amongst themselves.

This is a sure sign of a company that has gone to seed

Software companies are usually started by enthusiastic, obsessive, types who love what they're doing and actually know a lot about it. Over time they get too rich/bored/fed up of meetings/etc., and move on. Their place gets taken by either business or financial types who think quite differently and whose paranoia (born from the understanding that most people they deal with on a daily basis knows more about the products they make than they do, including many of their customers) makes them see everyone they cannot control as an enemy.

In western democracies the civilised way of dealing with enemies involves setting the lawyers on them and seeing who has the deepest pockets.

Just proves the old rule

@Oninoshiko

Thanks for those links, especially the second one.

That timeline really underlines just how ignorant the legal department of Magix AG have been. Good grief, they even request work from the guy which he supplies free of charge, then have the gall to threaten him.

Stupid?

Remeber it's not the *application* that matters

It's what's on the computer *running* the app that can discovered or trashed once an outsider has gained access. That would be the *minimum* damage that could be done. If they can down load stuff or upload your files it's *much* worse

TBF maybe the company has never had a bug reported to them in this way and responded badly.

OTOH maybe others *have* tried to report bugs (and there fixes) to them and been dealt with the same way and have stopped *bothering* to help them.

Fail because in business you can *never* have too many helpful friends and they seem to have managed to turn a friend into at best someone who will not *bother* reporting any more bugs to them or (worse case) someone who is actively hostile toward them.

Nothing too unusual

A while back was running the Spamwise site, which helped to uncover vulns in BBS, Web directories and the like which (mostly through stupid coding mistakes rather than actual intent) were leaking subscribers' email addresses to spammers.

Most sites thanked us, but a few reacted like this.

I suppose the bottom line is that some siteowners are more interested in beancounters than binaries, and anything which is seen to damage their business cred is reacted-to with seething hostility.

Given that...

...free speech in Germany doesn't extend to such niceties as being able to play Wolfenstein 3D, I would say that "THERE IS INDEED CENSORSHIP".

Whether or not it's justified in the eyes of the majority, Germany's absurdly draconian (and pointless) "la la la it never happened I can't hear you" laws regarding Nazi imagery are most definitely censorship.

Actually

a) nobody is allowed to derive any kind of enjoyment from anything related to Nazism, not even shooting at it

b) You are too stupid to inform yourself from historic sources and will instantly turn into a Nazi if you read anything not vetted by a state-approved authority.

There was a hell of a stink when some publishing company wanted to reprint 1930s newsletters as their copyright ran out. and don't get me started on the platitudes coming from our government/media in 2006 when everybody suddenly started flying the German flag everywhere for the world championship: Omg - it's 1934 all over again...can we make a law against it...they'll be burning synagogues before half-time.

I wish I was joking but there actually was an initiative to make a law against private citizens flying the national flag. And to make it worse what stopped it was probably not he fact that such a law is unconstitutional but more likely the insight that it is political suicide to come between a German and his football game. Never mind that the championship was used as a distraction to pass some very ugly laws very quietly.

Believe me - Nazism is about half of the whole history curriculum in school here. Hell, our national holiday is a day of showing Nazi documentaries on TV and depressive speeches about our heavy historical burden.

Re: the German history curriculum

"Believe me - Nazism is about half of the whole history curriculum in school here. Hell, our national holiday is a day of showing Nazi documentaries on TV and depressive speeches about our heavy historical burden."

Given the average youth's reaction to being told "you must not do that, ever" I'd say that was a courageous decision on the part of the curriculum planners.

I'm also curious to know exactly how that works. Do you tell the truth and traumatize the little children, or do you tone it all down and thereby leave them wondering what all the fuss is about?

This is the worst mistake Germany could make

It's a classic example of the old saying regarding those who would destroy that which they most despise end by becoming it. In it's fanatical efforts to deny or suppress Nazi sympathizers, the German government is becoming increasingly Nazi-like in its efforts.

Furthermore, there is the danger that by repressing Nazi expression, the German government could be creating sympathy for it by virtue of the human tendency to champion the underdog. They would be far better off simply legalizing Nazi memorabilia and expression, and then publicly mocking and ridiculing those who support it - much like people do with the BNP in the UK.

And as far as what the Nazis actually did - well, most of them are dead, and those who fought them who are still alive are now in their 90s. And memories are short.

@DROP TABLE

Your first two paragraphs are fine. You want to watch the third. Most of us don't need to have been around at the time to "remember" what they did. Such "memories" are not short, and IMHO neither should they be.

But yeah, banning this stuff just makes everyone behave like thwarted teenagers.